Throughout the vulnerability disclosure process, we perform the following key roles:
- Discover vulnerabilities in vendors software, products and services.
- Inform the vendor of the vulnerability within their product.
- Maintain confidentiality while the vendor works to remediate the vulnerability.
- Partner closely with the vendor to explain the importance of their vulnerability. If needed, we provide best practices for its resolution.
We believe that prompt and ethical disclosure of the vulnerability achieves a more secure environment for everyone. We contact through (but not limited to) the vendor’s:
- Computer Security Incident Response Team (CSIRT) contact or other security-related contact.
- General contact information provided in their Vulnerability Disclosure Policy.
- Public social channels (e.g., LinkedIn or Twitter).
After initial contact, our goal is to maintain a collaborative partnership with the vendor. We will:
- Provide the vendor with any additional vulnerability details necessary as they work through their remediation process.
- Maintain confidentiality around the vendor’s vulnerability and how it affects their product.
- Adhere to an industry-standard 90-day public disclosure period that starts at our initial attempt to communicate our findings to the vendor. Nearly all vendors can remediate a vulnerability in 90-days or less. Under special circumstances, this period might be extended. We publicly disclose the vulnerability after its remediation. When vendors release their vulnerability fix before the ninetieth (90th) day, we may publicly disclose our findings immediately after that fix’s release.
In rare situations, a vendor may remain unresponsive despite several contact attempts from us. In these cases, we have a choice of ignoring the vulnerability, or disclosing it within the information security community. Our last option is to publicly disclose a vendor's vulnerability on our website. Often, public disclosure isn't desirable as criminals may exploit them. We will use our best discretion to disclose only the least detail necessary, leaving out the key details hackers might need to initiate attacks.
We believe this Vulnerability Disclosure Policy effectively balances our goals of maintaining vendor confidentiality and moving security research forward. The policy remains in alignment with our greater mission of enhancing industry security.